AT&T is currently entangled in multiple class action lawsuits after revelations that sensitive data from over 70 million customers was exposed and potentially circulated among malicious actors.

This data leak, confirmed by AT&T just weeks ago, has put millions of current and former customers at risk, as cybercriminals now reportedly have access to sensitive personal details such as addresses, social security numbers, email addresses, birth dates, and account passcodes. The origin of the breach—whether from AT&T directly or through a third-party vendor—remains unclear, but the fallout has been swift, and customer complaints continue to rise.

According to the legal filings, customer data has reportedly been available on the dark web since as early as 2021. Plaintiffs allege that AT&T failed to act promptly to prevent or mitigate the breach, allowing data to circulate unchecked among cybercriminals. In response, the telecommunications giant recently reset passcodes for affected accounts to offer some initial protection, yet many believe the company’s actions were too little, too late. The lawsuits claim AT&T’s lack of urgency and transparency on this issue has exposed millions to an elevated risk of identity theft and financial fraud.

As a part of their response, AT&T has taken steps to reach out to both current and past customers who may be impacted by the breach. Notifications have been sent via email or mail, warning individuals of the risk and advising them to be vigilant with their personal information. Although AT&T has not disclosed the full extent of the compromised data, it has encouraged affected individuals to monitor for unusual account activity, change passwords, and take additional precautions to safeguard their data.

Commenting on the gravity of the breach, James McQuiggan, a security awareness advocate with KnowBe4, pointed out the challenges large enterprises face in swiftly addressing security incidents. According to McQuiggan, the massive size of organizations like AT&T makes it difficult to pivot rapidly in the wake of a breach, leading to potentially prolonged periods of exposure for affected customers. McQuiggan emphasized that the uncertain origin of the leak only compounds the issue, raising concerns about customer trust, brand reputation, and the financial liabilities AT&T might face through class action settlements.

One of the biggest threats stemming from this breach is the risk of “SIM-jacking” attacks. In such attacks, cybercriminals leverage stolen information to hijack a victim’s phone number, allowing them to intercept text messages, calls, and even SMS-based multi-factor authentication codes. With access to these details, attackers can gain entry to other accounts that use phone numbers as a secondary security measure.

While AT&T has taken initial steps to manage the breach’s fallout, the full scope of the exposure and the implications for affected customers remain uncertain. The company’s response—both in notifying impacted individuals and resetting account passcodes—demonstrates its acknowledgment of the situation but may not be enough to restore consumer confidence entirely. For many, the damage is already done, and the lawsuits aim to hold AT&T accountable for what plaintiffs argue was a preventable breach with severe ramifications for customers’ privacy and financial well-being.

Data breaches have increasingly become a significant concern for businesses, often leading to class action lawsuits claiming that organizations failed to adequately protect personally identifiable information (PII) or protected health information (PHI) from unauthorized disclosure. These lawsuits commonly cite negligence, alleging insufficient cybersecurity practices. However, under both the U.S. Constitution and state constitutions, plaintiffs are required to demonstrate actual harm—damages—before they can seek legal remedies. Without proving damages, plaintiffs lack the legal standing to bring a case.

Several class action lawsuits related to data breaches have been dismissed due to plaintiffs’ inability to show tangible harm resulting from the alleged negligence. This issue of standing was notably addressed by the U.S. Supreme Court in TransUnion, LLC v. Ramirez (2021). In that case, the Court ruled that plaintiffs cannot claim standing if the alleged damages are not concrete and real. The mere threat of future harm, according to the ruling, is insufficient.

New York State courts have similarly adopted this stance in cases involving data privacy, with several recent rulings aligning with TransUnion. Courts have dismissed data breach lawsuits where plaintiffs failed to establish concrete harm, reinforcing the necessity of demonstrating actual damages for standing.

A recent case, Greco v. Syracuse ASC, exemplifies this trend. The plaintiff filed a class action lawsuit against a healthcare provider after a data breach that allegedly exposed personal data to unauthorized third parties. However, the plaintiff failed to show any misuse of the data. In its decision to dismiss the case, the court emphasized that hypothetical future harm could not support standing.

The court determined that the plaintiff’s personal information had not been misappropriated; it also concluded that the personal information of all other individuals affected by the data breach was not misused. Furthermore, it noted that over a year had passed since the breach occurred without any instances of misuse. Additionally, the court found that the plaintiff’s personal information accessible to unauthorized third parties during the breach was restricted solely to health-related information and did not encompass her Social Security number, date of birth, credit card details, or any other information that could facilitate financial crimes.